AWSTemplateFormatVersion: 2010-09-09 Transform: 'AWS::Serverless-2016-10-31' Description: Creating Endpoint for Payment Method (uksb-1s7fb4gd2) Parameters: stage: Type: String Default: dev layerarn: Type: String Default: default kmsid: Type: String Default: default dynamodbarn: Type: String Default: default encryptTableName: Type: String Default: CreditCardTokenizerTable customerTableName: Type: String Default: CustomerOrderTable Globals: Function: Timeout: 10 Environment: Variables: EncryptionTableName: !Sub '${encryptTableName}' CustomerOrderTableName: !Sub '${customerTableName}' KMSKey: !Sub '${kmsid}' Resources: UserPool: Type: 'AWS::Cognito::UserPool' Properties: AdminCreateUserConfig: AllowAdminCreateUserOnly: false UserPoolName: TestingUsers UsernameAttributes: - email AutoVerifiedAttributes: - email Policies: PasswordPolicy: MinimumLength: 6 RequireLowercase: true RequireNumbers: false RequireSymbols: false RequireUppercase: true UserPoolAppClient: Type: 'AWS::Cognito::UserPoolClient' Properties: UserPoolId: !Ref UserPool GenerateSecret: false ExplicitAuthFlows: - USER_PASSWORD_AUTH LAMVPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 EnableDnsSupport: 'true' EnableDnsHostnames: 'true' InstanceTenancy: default Tags: - Key: 'Name' Value: 'Tokenization VPC' LAMSubNet: Type: 'AWS::EC2::Subnet' Properties: AvailabilityZone: !Select - 0 - 'Fn::GetAZs': !Ref 'AWS::Region' CidrBlock: 10.0.0.0/24 VpcId: !Ref LAMVPC DynamoDBRouteTable: Type: 'AWS::EC2::RouteTable' Properties: VpcId: Ref: LAMVPC Tags: - Key: 'Name' Value: 'DynamoDB RouteTable' mySubnetRouteTableAssociation: Type: 'AWS::EC2::SubnetRouteTableAssociation' Properties: SubnetId: Ref: LAMSubNet RouteTableId: Ref: DynamoDBRouteTable DynamoDBEndPoint: Type: 'AWS::EC2::VPCEndpoint' DependsOn: LAMVPC Properties: PolicyDocument: '{ "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal": "*", "Action":["dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:GetRecords"], "Resource":["*"] }] }' RouteTableIds: - !Ref DynamoDBRouteTable ServiceName: !Sub com.amazonaws.${AWS::Region}.dynamodb VpcId: !Ref LAMVPC CustomerOrderSG: Type: 'AWS::EC2::SecurityGroup' Properties: GroupName: CustomerOrderSG GroupDescription: Allow the lambda access to AWS resources, but restrict inbound communications VpcId: Ref: LAMVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 10.0.0.0/16 SecurityGroupEgress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 KMSEndPoint: Type: 'AWS::EC2::VPCEndpoint' DependsOn: LAMVPC Properties: PrivateDnsEnabled: True VpcEndpointType: 'Interface' SecurityGroupIds: - !Ref CustomerOrderSG SubnetIds: - !Ref LAMSubNet ServiceName: !Sub com.amazonaws.${AWS::Region}.kms VpcId: !Ref LAMVPC CustomerOrderFunction: Type: 'AWS::Serverless::Function' DependsOn: AllowLambdaInVPCPolicy Properties: CodeUri: payment_method/ Handler: app.lambda_handler Runtime: python3.7 Role: !GetAtt LambdaExecutionRole.Arn MemorySize: 256 VpcConfig: SecurityGroupIds: - !Ref CustomerOrderSG SubnetIds: - !Ref LAMSubNet Layers: - !Sub '${layerarn}' Events: PaymentMethod: Type: Api Properties: Path: /order RestApiId: !Ref PaymentMethodApi Method: post PayBillMethod: Type: Api Properties: Path: /paybill RestApiId: !Ref PaymentMethodApi Method: post PaymentMethodApi: DependsOn: UserPool Type: 'AWS::Serverless::Api' Properties: Name: PaymentMethodApi StageName: !Ref stage EndpointConfiguration: REGIONAL Cors: AllowMethods: '''*''' AllowHeaders: '''*''' AllowOrigin: '''*''' Auth: DefaultAuthorizer: MyCognitoAuthorizer Authorizers: MyCognitoAuthorizer: UserPoolArn: !GetAtt UserPool.Arn LambdaExecutionRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: 'sts:AssumeRole' KMSAccessPolicy: DependsOn: CustomerOrderFunction Type: 'AWS::IAM::Policy' Properties: PolicyName: KMSAccessPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'kms:Decrypt' - 'kms:Encrypt' - 'kms:GenerateDataKey' - 'kms:GenerateDataKeyWithoutPlaintext' Resource: !Sub '${kmsid}' Roles: - !Ref LambdaExecutionRole DynamoDBAccessPolicy: DependsOn: CustomerOrderFunction Type: 'AWS::IAM::Policy' Properties: PolicyName: DynamoDBAccessPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'dynamodb:BatchGetItem' - 'dynamodb:BatchWriteItem' - 'dynamodb:PutItem' - 'dynamodb:DescribeTable' - 'dynamodb:DescribeGlobalTable' - 'dynamodb:DeleteItem' - 'dynamodb:GetItem' - 'dynamodb:Query' - 'dynamodb:GetRecords' Resource: - !Sub '${dynamodbarn}' - !GetAtt OrderDatabase.Arn Roles: - !Ref LambdaExecutionRole CloudWatchLogAccessPolicy: DependsOn: CustomerOrderFunction Type: 'AWS::IAM::Policy' Properties: PolicyName: CloudWatchLogAccessPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: '*' Roles: - !Ref LambdaExecutionRole AllowLambdaInVPCPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AllowLambdaInVPCPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'ec2:CreateNetworkInterface' - 'ec2:DescribeNetworkInterfaces' - 'ec2:DeleteNetworkInterface' Resource: '*' Roles: - !Ref LambdaExecutionRole OrderDatabase: Type: 'AWS::DynamoDB::Table' Properties: TableName: !Sub '${customerTableName}' AttributeDefinitions: - AttributeName: CustomerOrder AttributeType: S KeySchema: - AttributeName: CustomerOrder KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: 5 WriteCapacityUnits: 5 SSESpecification: SSEEnabled: True SSEType: KMS Outputs: PaymentMethodApiURL: Description: API Gateway endpoint URL for CustomerOrderFunction Value: !Sub >- https://${PaymentMethodApi}.execute-api.${AWS::Region}.amazonaws.com/${stage} CustomerOrderFunction: Description: Customer Order Lambda Function ARN Value: !GetAtt CustomerOrderFunction.Arn LambdaExecutionRole: Description: Implicit IAM Role created for Hello World function Value: !GetAtt LambdaExecutionRole.Arn UserPoolArn: Description: User Pool Arn for the cognito pool Value: !GetAtt UserPool.Arn UserPoolAppClientId: Description: User Pool App Client for your application Value: !Ref UserPoolAppClient Region: Description: Region Value: !Ref 'AWS::Region' AccountId: Description: AWS Account Id Value: !Ref 'AWS::AccountId'